{ config, containerCfg, pkgs, lib, builder, name, ... }:
let 
  serverCfg = config.syscfg.server;

  mkServarrImage = appName: appPkg: binaryPath: pkgs.dockerTools.streamLayeredImage {
    name = appPkg.name;
    tag = appPkg.version;
    contents = with pkgs; [ cacert openssl ];
    config = {
      Cmd = [ "${appPkg}/${binaryPath}" "-nobrowser" "-data=/config" ];
      Env = [ "DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1" ];
    };
  };

  images = {
    prowlarr = mkServarrImage "prowlarr" pkgs.prowlarr "bin/Prowlarr";
    radarr   = mkServarrImage "radarr"   pkgs.radarr   "bin/Radarr";
    sonarr   = mkServarrImage "sonarr"   pkgs.sonarr   "bin/Sonarr";
    bazarr   = mkPythonImage  "bazarr"   pkgs.bazarr   "bin/bazarr";
    lidarr   = mkServarrImage "lidarr"   pkgs.lidarr   "bin/Lidarr";
    readarr  = mkServarrImage "readarr"  pkgs.readarr  "bin/Readarr";
  };

  sharedVolumes = [
    "${serverCfg.mediaPath or "/mnt/media"}:/media" # Fast hardlinking requires a single shared root
    "${serverCfg.configPath}/servarr:/config-root"
  ];
in {
  # Initialize atomic configuration structures
  paths = [
    { path = "${serverCfg.configPath}/servarr/prowlarr"; mode = "0755"; }
    { path = "${serverCfg.configPath}/servarr/radarr";   mode = "0755"; }
    { path = "${serverCfg.configPath}/servarr/sonarr";   mode = "0755"; }
  ];

  containers = {
    prowlarr = builder.mkContainer {
      subdomain = containerCfg.subdomain;
      subpath = "prowlarr";
      imageStream = images.prowlarr;
      port = 9696;
      secret = name;
      overrides.volumes = sharedVolumes ++ [ "${serverCfg.configPath}/servarr/prowlarr:/config" ];
    };

    radarr = builder.mkContainer {
      subdomain = containerCfg.subdomain;
      subpath = "radarr";
      imageStream = images.radarr;
      port = 7878;
      secret = name;
      overrides.volumes = sharedVolumes ++ [ "${serverCfg.configPath}/servarr/radarr:/config" ];
    };

    sonarr = builder.mkContainer {
      subdomain = containerCfg.subdomain
      subpath = "sonarr";
      imageStream = images.sonarr;
      port = 8989;
      secret = name;
      overrides.volumes = sharedVolumes ++ [ "${serverCfg.configPath}/servarr/sonarr:/config" ];
    };
  };

#   setup = {
#     trigger = "prowlarr"; # Triggers atomic environment verification on main controller
#     envFile = config.sops.secrets."SERVARR".path;
#     script = pkgs.writeShellScript "setup-servarr" ''
#       echo "Validating multi-container path permission nodes..."
#     #   mkdir -p ${serverCfg.configPath}/servarr/{prowlarr,radarr,sonarr}
#     '';
#   };
}